News

Payment fraud: a look at emerging trends and how VoP can help

6min Read · 14 May 2024
payment fraud vop

On Monday, April 29th, the EBA (European Banking Authority) released an Opinion which identified new types and patterns of payment fraud and developed, on the other hand, some proposals to tackle them (the “Opinion”). This Opinion strengthens the importance of the anti-fraud measures established in the upcoming frameworks, namely IPR (Instant Payments Regulation), PSD3 (3rd Payment Services Directive) as well as PSR (Payment Services Regulation).

 

Things are getting better…

The EBA Opinion first points out the positive effects of PSD2 security requirements on fraud levels across the EU. Such requirements are notably the strong customer authentication (SCA) complemented by transaction monitoring measures.

For instance, fraud levels for credit transfers represent 0.0008% of the total value for credit transfers (i.e., 8 euro defrauded out of 1 million euros transmitted) and 0.0020% for direct debits in 2022.

Moreover, the EBA notes that SCA is now “widely used to authenticate remote electronic transactions, including those for e-commerce”. And even if some SCA exemptions exist – to support the development of more user-friendly and innovative means of payment -, SCA was applied for 70% of remote credit transfers.

payment fraud vop

Despite this positive note on which the Opinion starts, the EBA raises concerns in relation to high level frauds identified “for some specific payment instruments, geographic dimensions, jurisdictions, or combinations thereof”.

 

Key findings and emerging fraud trends

In the first half of 2022, 18 National Competent Authorities (NCAs) reported that for Instant Credit Transfers (or Instant Payments), “the fraud rates in value […] are about 10 times higher on average than conventional Credit Transfers”.  As explained in the Opinion, EBA believes this higher fraud rate may be (partially) due to the fact that the possibility for PSPs to recover funds in case of fraudulent instant payments is limited or even impossible, as these types of payments are executed within 10 seconds. And, with the recent entry into force of the Instant Payments Regulation, it is expected that instant payments will be increasingly used in the EU. (See Verification of Payee, or VoP, below)

Fraud rates for cross-border transactions are much higher than for domestic ones. By analyzing the aggregate data at EEA level for 2022, the EBA notes that for both cards and credit transfers, “cross-border fraud rates in volume are about 9 times higher than for domestic transactions”. This could be due to insufficient cross-border cooperation among Payment Service Providers and stakeholders dealing with international crime activities. Moreover, when EEA countries are involved, one of the reasons for such a higher fraud rate may be an uneven application of SCA.

payment fraud instant payments

The EBA also notes the distribution of liability for fraud losses varies across payment instruments in the EEA. For instance, in 2022, the losses were approximately shared between PSUs and PSPs for card payments. When it comes to credit transfers, the shares of losses borne by the PSUs was 79%. This finding could be explained by the fact that “an increasing number of payment fraud takes the form of manipulation of the payer”. Moreover, EBA underlines a lack of clear delineation between authorized and unauthorized transactions in PSD2, leading sometimes to slightly different application of the liability rules across the different Member States.

Fraud rates vary notably across EEA countries, with some Member States having aggregate fraud levels much higher than that EEA average. Several reasons can explain such figures, for instance the difference in the payment services offered by PSPs in the various markets, or the lack of digital skills of citizens in some of those countries. Also, it could be linked to “the different implementation of the security requirements by PSPs and varying supervisory practices across Member States”.

When it comes to emerging fraud types, EBA notes that fraudsters are adapting their techniques to the tech and regulatory contexts. As explained earlier, if the implementation of SCA has led to positive results, new fraud types have emerged in recent years:

  • Manipulation of the payer: here, the customer is manipulated by a fraudster to make a payment to the fraudster through social engineering. Independent from security measures, these types of fraud leverage information gathered via social networks to impersonate a known and trusted party (relative, friend, business partner, etc.)
  • Mixed social engineering and technical scam: the combination of phishing techniques (to steal customers’ credentials and issue payment orders) and social engineering to manipulate the PSUs to later authorize the payment.
  • Enrolment process compromise: a complex scam consisting in enrolling a fraudster’s device as a second factor of the SCA, to be used with the customer’s personal security credentials stolen via phishing techniques. Here, the fraudster really takes over the payment account and will be able to process multiple fraudulent payments.

 

Preventing from such fraudulent transactions

As expressed in the Opinion, “the EBA welcomes the new security provisions included in the EU Commission’s PSD3/PSR proposals and in the Instant Payments Regulation”. More specifically, EBA more than welcomes the IBAN-Name Check (or Verification of Payee) obligation which was introduced in IPR, as well as other additional fraud mitigation measures described in PSR (enhanced transaction monitoring, supporting sharing of fraud-related information between PSPs, etc.). The EBA also highlights that additional provisions to mitigate fraud have been proposed by the ECON on the PSD3/PSR proposals and agreed by the European Parliament: these aim notably at making electronic communications service providers outside the financial sector also responsible for tackling payment fraud.

Yet, the EBA would like to see more security measures considered, with an aim at “supporting a comprehensive, uniform and future proof framework for the mitigation and control of payment fraud in the EU”. The authority has therefore identified 5 additional measures for consideration by the EU co-legislators and the EU Commission in the negotiation of the PSD3/PSR proposals:

  1. Reinforced security requirements for PSPs, complementing the IBAN/name check and the fraud mitigation measures included in the PSD3/PSR proposals, aimed at further strengthening the procedure for the authentication of transactions, mitigating possible vulnerabilities exploited in other phases of the payment process, as well as supporting fraud detection and investigation;
  2. A fraud risk management framework to be put in place by PSPs, on top of the mandatory security requirements;
  3. Amended liability rules, including a proper delineation between authorized and unauthorized transactions, as well as the clarification of the concept of “gross negligence”;
  4. A strengthened and harmonized supervision on fraud management, also leveraging on fraud data already collected under the PSD2;
  5. Appropriate security requirements for a single EU-wide platform for information sharing to prevent and detect potentially fraudulent payment transactions.

 

Getting started with VoP

At LUXHUB, we have developed an efficient solution to support Payment Service Providers in their upcoming Verification of Payee challenge. Considered as a strategic project for PSPs, several key points of attention of VoP need to be raised, and such projects should actually be on the radar of compliance teams from TODAY.

  • More security and trust in payments: The deployment of VoP will significantly help reduce the fraud cases, particularly in the context of instant payments.
  • Ensure a smooth user experience: The way VoP will be provided through different payment initiation channels will be key to its success (or failure).

 

With LUXHUB’s Payee Verification Platform,

  • PSPs will be supported in exposing and managing, in a secure and compliant manner, a real-time name & account details checking.
  • It will also offer PSPs a single interface to check payee accounts in all European banks.
  • Payee Verification Platform will provide public and private organizations to check payee accounts throughout the payment lifecycle (available soon).

 

Want to know more? Download our IPR/VoP e-book

 

Source: EBA

Useful Resources See All
Press Release Six major banks in Luxembourg select LUXHUB as their VOP service provider
#PAYEE VERIFICATION PLATFORM
4min Read · 8 Apr 2025
Blog Why an Open Banking expert is the ideal partner for VOP
#Payee Verification Platform
3min Read · 6 Feb 2025
Press Release LUXHUB obtains ISO 27001 certification
2min Read · 13 Feb 2025
In the Media How FIDA opens unprecedented opportunities: 5 innovative and concrete use cases
2min Read · 25 Nov 2024